Cyber, again

Something on the Just Security law blog caught my attention today:

"For a growing number of states, cyber operations are now firmly ensconced as a means of conducting traditional and not-so-traditional statecraft, to include conflict. Cyberspace has delivered tremendous benefits, but its unique construct and ubiquity have also created significant national security vulnerabilities, generating unprecedented challenges to the existing framework of international peace and security. One need look no further than North Korea’s destructive and subversive actions against Sony Pictures, its launch of the Wannacry ransomware, Russia’s launch of the indiscriminate NotPetya malware against the Ukraine, or its cyber-enabled covert influence campaigns against the U.S. and other western democracies to realize that cyber capabilities are increasingly part of a powerful arsenal states are using to pursue their interests, oftentimes through aggressive actions aimed at disrupting the status quo. As the recently released Command Vision for US Cyber Command recognizes, the emerging cyber-threat landscape is marked by adversary states engaging in sustained, well-constructed campaigns to challenge and weaken western democracies through actions designed to hover below the threshold of armed conflict while still achieving strategic effect. And as the Cyber Command Vision also makes clear, passive, internal cyber security responses have proved inadequate, ceding strategic initiative and rewarding bad behavior."

I've argued for years that most people (including many journalists and far too many so-called cybersecurity professionals) interpret "cybersecurity" rather differently to how it is being used in the government/military context. Whereas everyday Internet security is part of the problem space, it's a small part. Ordinary controls such as firewalls and antivirus are woefully inadequate defences against the "powerful arsenals" being developed and deployed by "adversary states". Those "unprecedented challenges" are not going to be met with off-the-shelf security solutions - just as wet cardboard is not much use as a bulletproof vest.

One of the lessons in next month's awareness module on insider threats is that everyday controls are inadequate against high-end threats involving committed and resourceful adversaries - and yet, it makes sense to start with those everyday controls both to knock back the everyday issues and as a platform for the more advanced stuff. The cases we'll be using illustrate the range of insider threats nicely, from casual expenses fraud to espionage.

In discussing the more severe end of the scale, I'm conscious of the risk of alienating the most naive parts of the audience ... and yet if we don't make the effort to open their eyes to what's going on, they will remain oblivious. Actual incidents reported by the news media are a good way to demonstrate that we are not entirely paranoid. Headline stories catch their attention: all we need to do is explain what's behind the headline. Easy, when you know how.